Confirm the account is on an Enterprise plan; the Audit Logs API is only available on Enterprise and above.
Authenticate with admin credentials; non-admin roles cannot read audit logs.
Send a GET to /api/v2/audit_logs to retrieve a paginated list of account-level audit events; the endpoint returns up to 100 records per page.
Use filter parameters to narrow results: filter[action][] accepts create, update, or destroy; filter[actor_id] scopes to a specific admin user; filter[created_at][] accepts ISO 8601 date strings for start and end range.
Iterate through pages using the next_page URL in the response meta until next_page is null.
Store the created_at timestamp of the most recent event processed and use it as the lower bound of filter[created_at][] on future runs for incremental polling.
Known gotchas
The Audit Logs endpoint has a separate, much stricter rate limit of one request per minute per account; this endpoint is not suitable for high-frequency polling and is intended for periodic compliance exports.
Audit Logs record account configuration changes (admin actions, policy changes, agent management) — they do not record individual ticket field changes, which are tracked separately in Ticket Audits (/api/v2/tickets/{ticket_id}/audits).
Filter parameters use bracket notation (filter[action][]=create); failing to encode the brackets correctly in the query string will cause the filter to be silently ignored and all records to be returned.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp